Overview
overview
10Static
static
3IMHttpComm.dll
windows7-x64
3IMHttpComm.dll
windows10-2004-x64
3ImLookExU.dll
windows7-x64
1ImLookExU.dll
windows10-2004-x64
1ImLookU.dll
windows7-x64
3ImLookU.dll
windows10-2004-x64
3ImNtUtilU.dll
windows7-x64
3ImNtUtilU.dll
windows10-2004-x64
3ImPackr.exe
windows7-x64
10ImPackr.exe
windows10-2004-x64
10ImUtilsU.dll
windows7-x64
3ImUtilsU.dll
windows10-2004-x64
3ImWrappU.dll
windows7-x64
1ImWrappU.dll
windows10-2004-x64
1SftTree_IX86_U_60.dll
windows7-x64
1SftTree_IX86_U_60.dll
windows10-2004-x64
1mfc80u.dll
windows7-x64
1mfc80u.dll
windows10-2004-x64
1msvcp80.dll
windows7-x64
1msvcp80.dll
windows10-2004-x64
1msvcr80.dll
windows7-x64
1msvcr80.dll
windows10-2004-x64
1wlessfp1.dll
windows7-x64
3wlessfp1.dll
windows10-2004-x64
3Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 13:06
Static task
static1
Behavioral task
behavioral1
Sample
IMHttpComm.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
IMHttpComm.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
ImLookExU.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
ImLookExU.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
ImLookU.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
ImLookU.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
ImNtUtilU.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
ImNtUtilU.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
ImPackr.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
ImPackr.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
ImUtilsU.dll
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
ImUtilsU.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
ImWrappU.dll
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
ImWrappU.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
SftTree_IX86_U_60.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
SftTree_IX86_U_60.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
mfc80u.dll
Resource
win7-20240611-en
Behavioral task
behavioral18
Sample
mfc80u.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
msvcp80.dll
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
msvcp80.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
msvcr80.dll
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
msvcr80.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
wlessfp1.dll
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
wlessfp1.dll
Resource
win10v2004-20240611-en
General
-
Target
ImPackr.exe
-
Size
102KB
-
MD5
2f779ac4318fd4990c828f60d16f2b17
-
SHA1
a188080158f8cdfe5050d6e828fb69e17ac0be19
-
SHA256
689951b03517f77b6c04bb57f604f50736dc1a86b87253b0dee73722d4520a11
-
SHA512
7f6dc79ab6db4615bb0c7b31d36cc8750373f9b7c199bfaa8e1eff9dbd6f0b790fe7e4c9dc86b62abb811d93e946e68ddc171701bddba423079447124ca6464c
-
SSDEEP
1536:BdPnjwBj/h13T5KRy8DiliMz+WPSC0mJcSs93k0TmOTWAnBchQlQICRXRXYu:BdPjwRrdoirza7C0iOPchc6Np
Malware Config
Extracted
stealc
Extracted
vidar
10.1
89083e6d7cd1c8c460b86fe6e70bf17b
https://guillerme.xyz/
https://t.me/memve4erin
https://steamcommunity.com/profiles/76561199699680841
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Signatures
-
Detect Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral10/memory/1228-64-0x0000000000670000-0x00000000008BD000-memory.dmp family_vidar_v7 -
Executes dropped EXE 1 IoCs
Processes:
ImPackr.exepid process 1956 ImPackr.exe -
Loads dropped DLL 13 IoCs
Processes:
ImPackr.exepid process 1956 ImPackr.exe 1956 ImPackr.exe 1956 ImPackr.exe 1956 ImPackr.exe 1956 ImPackr.exe 1956 ImPackr.exe 1956 ImPackr.exe 1956 ImPackr.exe 1956 ImPackr.exe 1956 ImPackr.exe 1956 ImPackr.exe 1956 ImPackr.exe 1956 ImPackr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ImPackr.exedescription pid process target process PID 1956 set thread context of 3404 1956 ImPackr.exe netsh.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SearchIndexer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SearchIndexer.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3804 timeout.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
ImPackr.exeImPackr.exenetsh.exeSearchIndexer.exepid process 3680 ImPackr.exe 1956 ImPackr.exe 1956 ImPackr.exe 3404 netsh.exe 3404 netsh.exe 1228 SearchIndexer.exe 1228 SearchIndexer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
ImPackr.exenetsh.exepid process 1956 ImPackr.exe 3404 netsh.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ImPackr.exeImPackr.exenetsh.exeSearchIndexer.execmd.exedescription pid process target process PID 3680 wrote to memory of 1956 3680 ImPackr.exe ImPackr.exe PID 3680 wrote to memory of 1956 3680 ImPackr.exe ImPackr.exe PID 3680 wrote to memory of 1956 3680 ImPackr.exe ImPackr.exe PID 1956 wrote to memory of 3404 1956 ImPackr.exe netsh.exe PID 1956 wrote to memory of 3404 1956 ImPackr.exe netsh.exe PID 1956 wrote to memory of 3404 1956 ImPackr.exe netsh.exe PID 1956 wrote to memory of 3404 1956 ImPackr.exe netsh.exe PID 3404 wrote to memory of 1228 3404 netsh.exe SearchIndexer.exe PID 3404 wrote to memory of 1228 3404 netsh.exe SearchIndexer.exe PID 3404 wrote to memory of 1228 3404 netsh.exe SearchIndexer.exe PID 3404 wrote to memory of 1228 3404 netsh.exe SearchIndexer.exe PID 3404 wrote to memory of 1228 3404 netsh.exe SearchIndexer.exe PID 1228 wrote to memory of 5056 1228 SearchIndexer.exe cmd.exe PID 1228 wrote to memory of 5056 1228 SearchIndexer.exe cmd.exe PID 1228 wrote to memory of 5056 1228 SearchIndexer.exe cmd.exe PID 5056 wrote to memory of 3804 5056 cmd.exe timeout.exe PID 5056 wrote to memory of 3804 5056 cmd.exe timeout.exe PID 5056 wrote to memory of 3804 5056 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ImPackr.exe"C:\Users\Admin\AppData\Local\Temp\ImPackr.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Roaming\EdHelp\ImPackr.exeC:\Users\Admin\AppData\Roaming\EdHelp\ImPackr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe3⤵
- Event Triggered Execution: Netsh Helper DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe4⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\SysWOW64\SearchIndexer.exe" & rd /s /q "C:\ProgramData\JEGDGIIJJECF" & exit5⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\timeout.exetimeout /t 106⤵
- Delays execution with timeout.exe
PID:3804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
929KB
MD57e264989a3e0079a4f135121f41397a4
SHA1ad2d15f125dff24eb8172a417f9ebbf927f456de
SHA256c168d39e2301a4064d37bdad897f29871ba3539a86df254c476ae7df2853365f
SHA5128657d35ddc5b86e1a834efb1c2b33d89aeb12ec2c64c95be6004f4b3e1d0ea4eba18b859cb2acaa79292acc6f21a691becd5a3525a2b969b4c5a06087503ed81
-
Filesize
32KB
MD5a70d91a9fd7b65baa0355ee559098bd8
SHA1546127579c06ae0ae4f63f216da422065a859e2f
SHA25696d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a
SHA512f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa
-
Filesize
262KB
MD5c3d6a629966b2de0ac954c0c75847f59
SHA18109256492cb3a2a38a6587b7e1145c58e078769
SHA2560e469f31a8399483862231a0fe5b78bf90a7df4ac5c0470ae79adc33e4a42d10
SHA512c80f718baa86aa05a566b8b5f8087a9f32703ef8f00ded809e0a2d74e94604b4b524989d953e26b9752e02fe2601ebe6527ef03384f6368ff6e5dca289a857e0
-
Filesize
606KB
MD53ea6d805a18715f7368363dea3cd3f4c
SHA130ffafc1dd447172fa91404f07038d759c412464
SHA256a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d
SHA512a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070
-
Filesize
94KB
MD5bb326fe795e2c1c19cd79f320e169fd3
SHA11c1f2b8d98f01870455712e6eba26d77753adcac
SHA256a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7
SHA512a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1
-
Filesize
102KB
MD52f779ac4318fd4990c828f60d16f2b17
SHA1a188080158f8cdfe5050d6e828fb69e17ac0be19
SHA256689951b03517f77b6c04bb57f604f50736dc1a86b87253b0dee73722d4520a11
SHA5127f6dc79ab6db4615bb0c7b31d36cc8750373f9b7c199bfaa8e1eff9dbd6f0b790fe7e4c9dc86b62abb811d93e946e68ddc171701bddba423079447124ca6464c
-
Filesize
1.4MB
MD5a7eaba8bc12b2b7ec2a41a4d9e45008a
SHA16a96a18bb4f1cd6196517713ed634f37f6b0362b
SHA256914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a
SHA5120ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8
-
Filesize
158KB
MD5cbf4827a5920a5f02c50f78ed46d0319
SHA1b035770e9d9283c61f8f8bbc041e3add0197de7b
SHA2567187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce
SHA512d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5
-
Filesize
570KB
MD557bf106e5ec51b703b83b69a402dc39f
SHA1bd4cfab7c50318607326504cc877c0bc84ef56ef
SHA25624f2399fc83198ab8d63ee6a1ad6ffbd1eda4d38048d3e809fecd2a3e0709671
SHA5128bf60649ece6bbb66c7b94ed0d9214fbeab030d5813e1e7b5d6d2349ee1de9075b7dfbbbbeae5af0dc21b071a00eafce0771ca1804e6752e9a71e71e6b1447df
-
Filesize
36KB
MD56bcc249ad4d750689bf56ca9467b4d06
SHA1ac6af58e8b556f5c9b35c787b204172a949ee9f3
SHA256205643214e81608a874ea9ce959437cbeae2ca1f92221a113a2aaa2e3802e277
SHA5125e6bfb766c80e4a6929c0eadec50874c224b335ff2f7d6ced2e24df62a1fe6e3d523389e2429ccec7f9f90174960185529adcae2af330b3076875577855644ea
-
Filesize
1.0MB
MD5ccc2e312486ae6b80970211da472268b
SHA1025b52ff11627760f7006510e9a521b554230fee
SHA25618be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a
SHA512d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff
-
Filesize
683KB
MD59dfcb15cd9862cb14ac2f9e8d02fa01c
SHA13c36b604a8fc07b1a2fd66af80b12b7d27de9c81
SHA25650872668c0884f57196445492613bb9c3989908072ff765566b43f78464f50fe
SHA512e819c32d2a6d54e37035d62226dc0d1bb779183f3aeb2566d90b15f792a47b07456aa0c0ad18841d3ccb39a54ea6e7f4c5ea82f8fe0be32b9e5c318e02f086fa
-
Filesize
70KB
MD55120c44f241a12a3d5a3e87856477c13
SHA1cd8a6ef728c48e17d570c8dc582ec49e17104f6d
SHA256fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c
SHA51267c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1